[OpenAFS] Getting username and IP address from kaserver logs?

Russ Allbery rra@stanford.edu
Wed, 06 Dec 2006 11:34:08 -0800 

Jason Edgecombe <openafs@rampaginggeek.com> writes:

> We're planning on turning off the kaserver in our AFS server in favor of
> kerberos 5, but I need to know which users have authenticated using the
> kaserver instead of kerberos 5. I would like the IP address as well.

> I've looked in /usr/afs/logs/AuthLog on my test DB server, but user
> authentications don't seem to be logged.

> How can I enable logging of user authentications through kas similar to
> the logs generated by our Kerberos 5 server?

It's unfortunately really annoying.  You can run kaserver with the -debug
flag and that will give you a separate text log, which will contain the
usernames.  However, it won't show TGT requests and will give you IP
addresses in hex unless you also apply the following patch to kaserver.

--- openafs-1.4.1/src/kauth/kalog.c.orig	2003-07-15 16:15:16.000000000 -0700
+++ openafs-1.4.1/src/kauth/kalog.c	2006-06-23 08:40:58.000000000 -0700
@@ -38,6 +38,9 @@
 #include <time.h>
 #include <signal.h>
 #include <assert.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
 #include <afs/afsutil.h>
 #include "kauth.h"
 #include "kalog.h"
@@ -67,6 +70,7 @@
     char keybuf[512];		/* not random! 63 . 63 , 63 . 63 max key */
     datum key, data;
     kalog_elt rdata;
+    struct in_addr in;
 
     if (!kalog_db)
 	return;
@@ -115,6 +119,9 @@
     case LOG_GETTICKET:
 	strcat(keybuf, ":gtck");
 	break;
+    case LOG_TGTREQUEST:
+	strcat(keybuf, ":tgtreq");
+	break;
     default:
 	break;
     }
@@ -128,7 +135,8 @@
 
     dbm_store(kalog_db, key, data, DBM_REPLACE);
 
-    ViceLog(verbose_track, ("%s from %x\n", keybuf, hostaddr));
+    in.s_addr = hostaddr;
+    ViceLog(verbose_track, ("%s from %s\n", keybuf, inet_ntoa(in)));
 }
 
 
@@ -141,6 +149,7 @@
        char *realm, int hostaddr, int type)
 {
     char logbuf[512];		/* not random! 63 . 63 , 63 . 63 max key */
+    struct in_addr in;
 
     if (*principal)
 	strcpy(logbuf, principal);
@@ -187,9 +196,13 @@
     case LOG_GETTICKET:
 	strcat(logbuf, ":gtck");
 	break;
+    case LOG_TGTREQUEST:
+	strcat(logbuf, ":tgtreq");
+	break;
     default:
 	break;
     }
 
-    ViceLog(verbose_track, ("%s from %x\n", logbuf, hostaddr));
+    in.s_addr = hostaddr;
+    ViceLog(verbose_track, ("%s from %s\n", logbuf, inet_ntoa(in)));
 }
--- openafs-1.4.1/src/kauth/kalog.h.orig	2000-11-04 02:04:38.000000000 -0800
+++ openafs-1.4.1/src/kauth/kalog.h	2006-06-23 08:20:22.000000000 -0700
@@ -27,6 +27,7 @@
 #define	LOG_SETFIELDS		5
 #define	LOG_UNLOCK              6
 #define	LOG_AUTHFAILED	        7
+#define LOG_TGTREQUEST          8
 
 #ifdef AUTH_DBM_LOG
 #ifdef AFS_LINUX20_ENV
--- openafs-1.4.1/src/kauth/krb_udp.c.orig	2003-12-07 14:49:27.000000000 -0800
+++ openafs-1.4.1/src/kauth/krb_udp.c	2006-06-23 08:46:14.000000000 -0700
@@ -399,6 +399,12 @@
     }
     KALOG(name, inst, sname, sinst, NULL, client->sin_addr.s_addr,
 	  LOG_AUTHENTICATE);
+
+    /* STANFORD: Also log tgt requests. */
+    if (cipherLen != 0) {
+	KALOG(name, inst, sname, sinst, NULL, client->sin_addr.s_addr,
+	      LOG_TGTREQUEST);
+    }
     osi_audit(UDPAuthenticateEvent, 0, AUD_STR, name, AUD_STR, inst, AUD_END);
     return 0;
 
-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>